The recently released reports by Verizon, ArcSight/Ponemon, and Digital Forensics all offer some interesting data and statistics on breaches, but after reading them, I am reminded of the analogy of the six blind men and the elephant, as their findings are not always wholly consistent with each other. If we can generalize from the Verizon report, then about 85% of breaches are due to organized criminal gangs, stolen login credentials account for more hacks than any other hacking method, almost half of breaches leading to compromised records involve insiders misusing their privileges, malware and hacks account for 95% of compromised records, and the financial services sector accounts for over 90% of all compromised records.
But can we generalize from the Verizon study? Are their cases representative of all breaches and what we could expect to see if we had more transparency in breach disclosure, or are their cases only representative of breaches in which actual compromise or misuse has been confirmed? Do the findings of the Digital Forensic study more closely approximate what we see on a daily basis because their report is based on incidents that have all been disclosed to one degree or another?
Here are just a few ways in which the recently released reports agree or disagree:
Insiders vs. Outsiders:
Both the Verizon report and the Digital Forensics report indicate that external agents are responsible for the largest proportion of breaches, but disagree on the extent to which they are involved and the extent to which they account for compromised records. Verizon reports that insider events increased significantly in 2009 (due, in part, to the inclusion of USSS cases in their dataset), while Digital Forensics shows only a small increase in percentage of insider events from 2008 to 2009. The Verizon reports also suggests a higher rate of malicious/intentional insider breaches than the Digital Forensics report, which notes that when an insider is involved, it’s twice as likely to be an accident or error.
One of the more intriguing findings in the Verizon report is that insiders involved in breaches often had a history of minor infractions of policies and access controls prior to the significant incident.
Type of Incident/Attack Vector:
The Verizon study indicates that 48% of the incidents they investigated involved privilege misuse, 40% resulted from hacking, 38% utilized malware, 28% employed social tactics, and 15% comprised physical attacks. Digital Forensics, however, found that hacking accounted for only 16% of the breaches in their data set, while what they call the Laptop vector (the loss, theft or disposal of portable computers) was the leading vector for breaches for the five-year period of their study, accounting for 21% of breach incidents. Both studies, however, find that laptop theft contributes in only a minor way to the number of records exposed or compromised (1% of records in the Verizon study vs. 6% in the Digital Forensics study).
According to the Verizon report, malware was involved in 38% of breaches and contributed to the compromise of 94% of the records, while hacking contributed to 96% of compromised records. Digital Forensics found that hacking accounted for 45% of the compromised or exposed records over the course of their 5-year study, and that they had insufficient data on malware, login credentials compromise, and SQL injection to make any firm statements.
The Digital Forensics and Verizon studies agree that social tactics are a significant problem although it was more prominent in the Verizon report. The Digital Forensics report also finds that breaches involving paper documents are becoming an increasing problem. I doubt that last finding and suspect that what appears to be an increase is really an artifact of a few factors: (1) DataLossDB.org did not originally include paper records breaches, and (2) the media have been paying increasing attention to paper breaches in the past few years. That there may be increased awareness of this type of breach is encouraging, but I doubt that there’s been a significant increase in the actual number of breaches.
Sector:
While many comparisons between the studies are interesting, of special note is the Verizon finding that financial services, hospitality, and retail still comprise the “Big Three” of industries affected (33%, 23%, and 15% respectively). The Digital Forensics report, using a somewhat different system for organization types, reports that businesses (which would include the hospitality sector), accounted for 49% of all incidents in their data set, and that the financial sector (which they subsumed under business) accounted for approximately 25% of all breach incidents. Does the Verizon-USSS report over-represent “the big three” due to who contacts them for help? Perhaps. Both studies, however, agree that the financial services sector accounts for the largest percentage of compromised or exposed records and that hacking accounts for the largest percentage of records in the financial sector. The Verizon study assigns a significantly higher percentage to hacked records than does the Digital Forensics report.
Compromise to Discovery
The Verizon and ArcSight studies both provide some data on the length of time from breach to discovery of the breach. Verizon notes that the percentage of breaches extending months or more before discovery is down for the third year in a row (65% to 50% to 44%), but for Verizon’s cases (with USSS cases excluded), 2009 was actually the worst year yet in terms of the time to discovery metric. Overall, 46% of all breaches in their dataset took months (37%) or years (7%) to discover and weeks (29%) or months (3%) to contain. In contrast, the ArcSight/Ponemon report based on 50 companies that had experienced 45 breaches during their benchmark study reported that the average length to containment was 14 days, but ranged from less than 24 hours to over 42 days. Strikingly, Verizon notes that the majority of cases continue to be detected by third parties and not the organizations themselves, even though in 86% of the breaches they investigated, log evidence was available and the entity could have detected the breach had they used their own logs.
Take-home Messages
So what can we take home from the three studies? It seems clear that stolen or compromised login credentials, malware, and SQL injection remain and will continue to remain major security concerns in the near future. It also seems clear that breaches could be detected — and contained — more quickly if organizations looked at and used their logs. The Verizon report makes it clear that simply patching known vulnerabilities in a timely fashion will not provide adequate protection and defense.
Even if it should turn out that the Verizon report over-estimates the percentage of breaches involving criminal gangs, wouldn’t now be a good time to really consider not just hardening your defenses and increasing your auditing but also purging a lot of data that you really don’t need? Did Blue Cross Blue Shield of Tennessee really really need to keep 57 tapes of customer calls for quality control purposes? It took over 110,000 work hours to go through those tapes to determine what was on the tapes and who needed to be notified and the breach cost them over $7 million. Was the information worth it?